Home Esplora Aiuto
Accedi
wiki
/
weseek__growi
mirror da https://github.com/weseek/growi
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

Merge remote-tracking branch 'origin/imprv/add-option-preventXSS' into imprv/add-option-preventXSS-morita

# Conflicts:
#	lib/locales/ja/translation.json
#	lib/views/admin/markdown.html
mayu morita 7 anni fa
parent
a98160472f 14cb6cf836
commit
3f569b0646
8 ha cambiato i file con 89 aggiunte e 7 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 9 0
      lib/form/admin/markdownXSS.js
  2. 1 0
      lib/form/index.js
  3. 2 1
      lib/locales/en-US/translation.json
  4. 5 2
      lib/locales/ja/translation.json
  5. 12 0
      lib/models/config.js
  6. 19 0
      lib/routes/admin.js
  7. 2 1
      lib/routes/index.js
  8. 39 3
      lib/views/admin/markdown.html

+ 9 - 0
lib/form/admin/markdownXSS.js
Vedi File 

@@ -0,0 +1,9 @@
 
+'use strict';
 
+
 
+var form = require('express-form')
 
+  , field = form.field;
 
+
 
+module.exports = form(
 
+  field('markdownSetting[markdown:isEnabledPreventXSS]').trim().toBooleanStrict()
 
+);
 
+

+ 1 - 0
lib/form/index.js
Vedi File 

@@ -22,6 +22,7 @@ module.exports = {
 
     securityPassportGoogle: require('./admin/securityPassportGoogle'),
 
     securityPassportGitHub: require('./admin/securityPassportGitHub'),
 
     markdown: require('./admin/markdown'),
 
+    markdownXSS: require('./admin/markdownXSS'),
 
     customcss: require('./admin/customcss'),
 
     customscript: require('./admin/customscript'),
 
     customheader: require('./admin/customheader'),

+ 2 - 1
lib/locales/en-US/translation.json
Vedi File 

@@ -393,7 +393,8 @@
 
 	},
 
 
   "markdown_setting": {
 
-    "markdown_rendering": "You can change Markdown rendering settings.",
 
+    "line_break_setting": "Line Break Setting",
 
+    "line_break_setting_desc": "You can change line break settings.",
 
     "Enable Line Break": "Enable Line Break",
 
     "Enable Line Break desc": "Treat line break in the text page as <code>&lt;br&gt;</code> in HTML",
 
     "Enable Line Break for comment": "Enable Line Break in comment",

+ 5 - 2
lib/locales/ja/translation.json
Vedi File 

@@ -411,13 +411,16 @@
 
     }
 
   },
 
   "markdown_setting": {
 
-    "markdown_rendering": "Markdownレンダリングの設定を変更できます。",
 
+    "line_break_setting": "Line Break設定",
 
+    "line_break_setting_desc": "Line Breakの設定を変更できます。",
 
     "Enable Line Break": "Line Break を有効にする",
 
     "Enable Line Break desc": "ページテキスト中の改行を、HTML内で<code>&lt;br&gt;</code>として扱います",
 
     "Enable Line Break for comment": "コメント欄で Line Break を有効にする",
 
     "Enable Line Break for comment desc": "コメント中の改行を、HTML内で<code>&lt;br&gt;</code>として扱います",
 
+    "XSS_setting": "XSS防止設定",
 
+    "XSS_setting_desc": "マークダウンテキスト内のHTMLタグへの対処を変更できます。",
 
     "TBD": "(TBD: コメント欄の Markdown 化は未だ実装されていません)",
 
-    "Prevent XSS(Cross Site Scripting)": "クロスサイトスクリプティング(XSS)をブロックする",
 
+    "Prevent XSS(Cross Site Scripting)": "マークダウンテキスト内のHTMLタグを有効にする",
 
     "Prevent XSS(Cross Site Scripting)desc": "悪意のあるプログラムからの攻撃を防ぎます",
 
     "Prevent XSS(Cross Site Scripting)desc2": "無効にすることで、<code>&lt;iframe&gt;</code>等の一部ソースの表示を可能にします",
 
     "Allow all": "すべて許可する",

+ 12 - 0
lib/models/config.js
Vedi File 

@@ -102,6 +102,7 @@ module.exports = function(crowi) {
 
   function getDefaultMarkdownConfigs() {
 
     return {
 
       'markdown:isEnabledLinebreaks': false,
 
+      'markdown:isEnabledPreventXSS': false,
 
       'markdown:isEnabledLinebreaksInComments': true,
 
     };
 
   }
 
@@ -334,6 +335,17 @@ module.exports = function(crowi) {
 
     return config.markdown[key];
 
   };
 
 
+  configSchema.statics.isEnabledPreventXSS = function(config) {
 
+    const key = 'markdown:isEnabledPreventXSS';
 
+
 
+    // return default value if undefined
 
+    if (undefined === config.markdown || undefined === config.markdown[key]) {
 
+      return getDefaultMarkdownConfigs[key];
 
+    }
 
+
 
+    return config.markdown[key];
 
+  };
 
+
 
   /**
 
    * initialize custom css strings
 
    */

+ 19 - 0
lib/routes/admin.js
Vedi File 

@@ -130,6 +130,25 @@ module.exports = function(crowi, app) {
 
     }
 
   };
 
 
+  // app.post('/admin/markdown/XSSSetting' , admin.markdown.XSSSetting);
 
+  actions.markdown.XSSSetting = function(req, res) {
 
+    var XSSSetting = req.form.markdownSetting;
 
+
 
+    req.session.markdownSetting = XSSSetting;
 
+    if (req.form.isValid) {
 
+      Config.updateNamespaceByArray('markdown', XSSSetting, function(err, config) {
 
+        Config.updateConfigCache('markdown', config);
 
+        req.session.XSSSetting = null;
 
+        req.flash('successMessage', ['Successfully updated!']);
 
+        return res.redirect('/admin/markdown');
 
+      });
 
+    }
 
+    else {
 
+      req.flash('errorMessage', req.form.errors);
 
+      return res.redirect('/admin/markdown');
 
+    }
 
+  };
 
+
 
   // app.get('/admin/customize' , admin.customize.index);
 
   actions.customize = {};
 
   actions.customize.index = function(req, res) {

+ 2 - 1
lib/routes/index.js
Vedi File 

@@ -77,7 +77,8 @@ module.exports = function(crowi, app) {
 
 
   // markdown admin
 
   app.get('/admin/markdown'                   , loginRequired(crowi, app) , middleware.adminRequired() , admin.markdown.index);
 
-  app.post('/admin/markdown/lineBreaksSetting', loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.markdown, admin.markdown.lineBreaksSetting);
 
+  app.post('/admin/markdown/lineBreaksSetting', loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.markdown, admin.markdown.lineBreaksSetting); //change form name
 
+  app.post('/admin/markdown/XSSSetting'       , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.markdownXSS, admin.markdown.XSSSetting);
 
 
   // markdown admin
 
   app.get('/admin/customize'                , loginRequired(crowi, app) , middleware.adminRequired() , admin.customize.index);

+ 39 - 3
lib/views/admin/markdown.html
Vedi File 

@@ -39,8 +39,8 @@
 
 
       <form action="/admin/markdown/lineBreaksSetting" method="post" class="form-horizontal" id="markdownSettingForm" role="form">
 
       <fieldset>
 
-        <legend>{{ t('Markdown settings') }}</legend>
 
-        <p class="well">{{ t("markdown_setting.markdown_rendering") }}</p>
 
+        <legend>{{ t('markdown_setting.line_break_setting') }}</legend>
 
+        <p class="well">{{ t("markdown_setting.line_break_setting_desc") }}</p>
 
 
         <div class="form-group">
 
           <label for="markdownSetting[markdown:isEnabledLinebreaks]" class="col-xs-4 control-label">
 
@@ -176,9 +176,40 @@
 
                         </form>
 
                     </fieldset>
 
                   </div>
 
-              </div>
 
 
+      </fieldset>
 
+      </form>
 
 
+      <form action="/admin/markdown/XSSSetting" method="post" class="form-horizontal" id="markdownSettingForm" role="form">
 
+      <fieldset>
 
+        <legend>{{ t('markdown_setting.XSS_setting') }}</legend>
 
+        <p class="well">{{ t("markdown_setting.XSS_setting_desc") }}</p>
 
+        <div class="form-group">
 
+          <label for="markdownSetting[markdown:isPreventXSS]" class="col-xs-4 control-label">
 
+            {{ t('markdown_setting.Prevent XSS(Cross Site Scripting)') }}
 
+          </label>
 
+          <div class="col-xs-5">
 
+            <div class="btn-group btn-toggle" data-toggle="buttons">
 
+              <label class="btn btn-default btn-rounded btn-outline {% if markdownSetting['markdown:isEnabledPreventXSS'] %}active{% endif %}" data-active-class="primary">
 
+                <input name="markdownSetting[markdown:isEnabledPreventXSS]" value="true" type="radio"
 
+                    {% if true === markdownSetting['markdown:isEnabledPreventXSS'] %}checked{% endif %}> ON
 
+              </label>
 
+              <label class="btn btn-default btn-rounded btn-outline {% if !markdownSetting['markdown:isEnabledPreventXSS'] %}active{% endif %}" data-active-class="default">
 
+                <input name="markdownSetting[markdown:isEnabledPreventXSS]" value="false" type="radio"
 
+                    {% if !markdownSetting['markdown:isEnabledPreventXSS'] %}checked{% endif %}> OFF
 
+              </label>
 
+            </div>
 
+            <!-- <div class="input">
 
+              <input type="radio" name="preventXSS" value="stripignoretag" checked>
 
+                {{ t('markdown_setting.Strip ignore tag') }}<br>
 
+              <input type="radio" name="preventXSS" value="WLtagnames">
 
+                {{ t('markdown_setting.White list tag names') }}<br>
 
+              <input type="radio" name="preventXSS" value="WLtagattribute">
 
+                {{ t('markdown_setting.White list tag attributes') }}
 
+            </div> -->
 
+            <p class="help-block">{{ t("markdown_setting.Prevent XSS(Cross Site Scripting)desc") }}<br>{{ t("markdown_setting.Prevent XSS(Cross Site Scripting)desc2") }}</p>
 
+          </div>
 
+        </div>
 
 
               </fieldset>
 
             </form>
 
@@ -223,9 +254,14 @@
 
             <button type="submit" class="btn btn-primary">{{ t("Update") }}</button>
 
           </div>
 
         </div>
 
+
 
       </fieldset>
 
       </form>
 
 
+
 
+
 
+
 
+
 
     </div>
 
   </div>